As the M&A scene is flourishing and new tech companies are popping up everywhere it is now more important than ever to shed light on the importance of Technology Due Diligence and how it may affect the deal value and the future of the company in question.
Regardless of company size and nature, there are always technology assets of some kind. Technology is usually an important enabler of growth, also for companies that do not offer software for commercial use. Consequently, the state of technology assets may also be limiting growth or require costly and time-consuming investments.
The severity of a Tech Due Diligence risk can be decided from the parameters’ impact and likelihood. From our experience of conducting Technology Due Diligences, both from sell-side and buy-side perspectives, we have consolidated the most prominent risks in terms of prevalence and severity. Results from the analysis show that half of the analyzed businesses have at least one high or critical risk in need of immediate attention. This is something that a potential acquirer should include in a 100-day plan, or that a selling party should mitigate before entering a sales process to increase the upcoming deal value. Some of the most severe risks are security vulnerabilities such as non-encrypted hardware or data, improper backup routines, and key man risks.
The most common risk that we encounter is that of legacy technologies. As many as 70% of investigated companies have legacy technologies incorporated in their technology stack, something that may take months or even years of developer resources to remediate. Side effects of having a legacy codebase may also be that competent developers are less attracted to working with the company, thus creating a Catch-22 scenario that is hard to overcome. A tech platform is something that, just like any part of an organization, needs to constantly be maintained to stay modern.
Having an untested or non-existing disaster recovery and/or business continuity plan is the second most common risk that is discovered during a Technology Due Diligence. As many as 65% of the analyzed companies did not manage to prove their ability to restore and keep the business running in the event of a disaster – posing an unlikely yet potentially devastating threat to the organization as a whole, as described in a recent BearingPoint Capital article.
Third, in the order of prevalence comes something that is rather binary - either you have conducted it, or you have not - and that is penetration testing. This is a risk that is not so cumbersome to mitigate, although that depends a bit on the outcome of the pen test. In fact, companies often find it to be rather a useful exercise to go through. This is not only the third most common risk found during more than half of the Technology Due Diligences, but also one of the most severe ones. Due to its high potential impact, that an external person would be able to access and harm internal systems and any data stored there, penetration testing is a matter that should be prioritized.
From a sell-side perspective, being able to prove that the company has sufficient security protection and can restore the systems in case of an outage builds trust with potential acquirers. From the buy-side perspective, these risks can be leveraged in deal price negotiations, and their corresponding mitigating actions can be used as input to the future development of the company.
BearingPoint Capital has a solid track record of conducting Technology Due Diligence for international top-tier clients on the capital markets. Contact Karl Malmström or Mikael Pommert for more information regarding our Technology Due Diligence offerings.
*BearingPoint analysis based on 20 Tech DD projects conducted between 2018 and 2021.